Your data is yours.
This page explains what that means in practice.
This Privacy Policy is published as scaffolding pending review by LouDNAi's outside counsel. The terms below describe LouDNAi's actual privacy posture and operational practices in good faith. Customers entering into agreements with LouDNAi rely on the executed contracts (MSA, DPA, BAA) for binding obligations. Material updates will be flagged with an effective date and posted to this page; subscribers receive email notification of material changes.
Scope & applicability
This Privacy Policy applies to information collected by LouDNAi, Inc. ("LouDNAi," "we," "us") through the LouDNAi website at loudnai.ai, our customer portal, our marketing communications, and our customer-facing services (collectively, the "Services"). It applies to all users — prospective customers, signed customers, customer end-users (where applicable), website visitors, and individuals who contact us.
For customers' end-users (e.g., patients of a healthcare practice, owners of a construction project), LouDNAi acts as a data processor on behalf of the customer (the data controller). The customer's privacy policy governs the end-user relationship; LouDNAi's processing is governed by the executed Data Processing Agreement (DPA) and, where applicable, the Business Associate Agreement (BAA) with that customer.
What we collect
From website visitors
- Identifiers: IP address, browser type, device type, operating system, referrer URL.
- Activity data: pages viewed, time on page, scroll depth, links clicked, form submissions.
- Inquiry data: name, company, email, phone (if provided), inquiry content, source.
From prospective and signed customers
- Account information: name, title, company, email, phone, billing address.
- Contracting information: entity name, EIN, signatory information, payment method.
- Discovery information: stack inventory, workflow descriptions, operational metrics shared during DNA Scan or strategy sessions.
From customer-deployed Fleets
- Customer business data: documents, configurations, agent inputs and outputs, integration data flowing through the Fleet.
- Customer end-user data: as applicable per the customer's use case (e.g., patient identifiers in Healthcare under BAA, contractor names in Construction).
- Operational telemetry: agent traces, eval results, performance metrics, audit logs.
What we do not collect
- Sensitive personal information beyond what's required for the Services and disclosed in the DPA/BAA.
- Information from children under 16 (LouDNAi does not target or market to children).
- Biometric identifiers from end-users without explicit customer-side opt-in.
- Information from sources we have not contracted with or that visitors have not voluntarily provided.
How we use it
LouDNAi uses information for the following purposes, with the lawful basis (under GDPR) noted where applicable:
| Purpose | Lawful basis (GDPR) |
|---|---|
| Deliver the Services to customers | Performance of contract |
| Bill customers and manage AR | Performance of contract; legal obligation (tax) |
| Respond to inquiries and provide support | Legitimate interest; consent (where applicable) |
| Improve the Services and develop new ones | Legitimate interest (with safeguards) |
| Send marketing communications | Consent; legitimate interest with opt-out |
| Comply with legal obligations | Legal obligation |
| Detect and prevent fraud, abuse, security incidents | Legitimate interest; legal obligation |
| Defend or pursue legal claims | Legitimate interest; legal obligation |
What LouDNAi does not do: we do not sell your personal information. We do not use customer business data to train models that benefit other customers — your data is yours, and the agents that learn from it serve only you. We do not share information with third parties for their own marketing purposes.
Your rights
Depending on jurisdiction, you may have the following rights with respect to your personal information:
- Right of access: request a copy of personal information we hold about you.
- Right to rectification: correct inaccurate or incomplete information.
- Right to erasure: request deletion, subject to legal retention requirements.
- Right to portability: receive your data in a machine-readable format.
- Right to restrict or object to processing: pause processing pending dispute resolution or for direct marketing.
- Right to non-discrimination: exercising any of these rights does not result in discriminatory treatment.
To exercise these rights, email legal@loudnai.ai. We respond within 30 days (or as required by applicable law). We may need to verify your identity before fulfilling certain requests.
California residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights:
- Right to know what personal information is collected, used, shared, or sold.
- Right to delete personal information collected from you, subject to exceptions.
- Right to opt out of the sale or sharing of personal information. LouDNAi does not sell or share personal information for cross-context behavioral advertising within the meaning of CCPA/CPRA.
- Right to limit the use of sensitive personal information.
- Right to non-discrimination for exercising your rights.
- Right to correct inaccurate personal information.
To exercise CCPA/CPRA rights, email legal@loudnai.ai with the subject line "California Privacy Request" and identify the right you are exercising.
EU / UK residents (GDPR)
If you are in the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) and UK GDPR grant additional rights and impose specific obligations on us as a controller (and processor, where applicable):
- Lawful basis: as documented in §03 above.
- Data subject rights: as documented in §05 above. Additionally, you have the right to lodge a complaint with your local supervisory authority.
- Data protection officer (DPO): LouDNAi has not appointed a DPO as we are not required to under GDPR Article 37; however, our privacy contact (legal@loudnai.ai) handles all GDPR inquiries.
- International transfers: see §10 below for the safeguards applied to transfers outside the EEA/UK.
Cookies & tracking
LouDNAi's website uses cookies and similar technologies for the following purposes:
- Strictly necessary cookies: session management, authentication, security. These cannot be opted out of without breaking the website.
- Analytics cookies: aggregate site usage data (we use a privacy-respecting analytics tool that does not set persistent third-party tracking cookies).
- Functional cookies: remember user preferences (e.g., dark/light mode, dismissed banners).
We do not use cookies for cross-context behavioral advertising. We do not embed third-party retargeting pixels (Meta, LinkedIn, Google Ads pixels). The Do Not Track browser signal is honored.
Retention & deletion
| Category | Retention period |
|---|---|
| Active customer data | Term of the customer agreement |
| Audit logs (HIPAA / SOC 2) | ≥ 6 years |
| Customer business data on termination | Deleted within 30 days; deletion certificate available on request |
| Backups | Follows active-data lifecycle; deleted on the same schedule |
| Inquiry data (no purchase) | 24 months from last contact |
| Marketing email subscriber data | Until unsubscribed; then deleted within 30 days |
| Billing and tax records | 7 years (US tax law) |
| Aggregated/anonymized data | May be retained indefinitely for service improvement |
International transfers
LouDNAi is headquartered in the United States. Customer data is processed and stored in US regions of supported cloud providers by default. EU customers may opt for EU-only data residency on enterprise tier.
For transfers from the EEA, UK, or Switzerland to the US or other jurisdictions without an adequacy decision, LouDNAi relies on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, executed as part of our DPA. We conduct transfer impact assessments where required.
Security
LouDNAi maintains administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. Full security posture is documented at /legal/compliance.html#security. Highlights include:
- AES-256 encryption at rest; TLS 1.3 in transit.
- SSO + MFA on all production access.
- Per-tenant data isolation enforced in code.
- Continuous vulnerability scanning, annual third-party penetration testing.
- Incident response plan with 72-hour customer notification SLA for material security incidents.
- SOC 2 Type 1 audit in flight (target Q3 2026).
No security program is perfect. If you become aware of a vulnerability, email security@loudnai.ai. We acknowledge within 48 hours.
Children
LouDNAi's Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact legal@loudnai.ai and we will delete it promptly.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be flagged at the top of this page with an updated effective date and posted at least 30 days in advance of taking effect. Customers and email-subscribed individuals will receive notification of material changes.
Contact us
Privacy inquiries, rights requests, or general questions: legal@loudnai.ai
Security inquiries or vulnerability disclosure: security@loudnai.ai
Postal address: LouDNAi, Inc. — address to be appended on entity formation completion. Customers needing a postal address before then may contact legal@loudnai.ai.
EU/UK representative: not currently appointed. If LouDNAi acquires EU/UK customers requiring a designated representative under GDPR Article 27, one will be appointed and identified here.